Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.
Aikido Security's Joe Leon has documented that standard Google Cloud API keys keep working for up to 23 minutes after they are deleted from the GCP console, with a median revocation window of 16 minutes. Over 10 trials across two days, the team kept sending authenticated requests at 3-5 per second; one trial saw 79% of requests succeed one minute after deletion. During this window, an attacker holding a leaked key retains full access to any enabled API on the project, including Gemini file dumps, BigQuery, and Maps. Google closed the bug report as 'won't fix.' Service-account deletions propagate in around 5 seconds; only standard API keys are slow.
Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.